VM is used for running Java applications on Windows PCs and comes with most Windows and Internet Explorer versions.
All builds up to and including build 5.0.3805 are affected by eight security flaws, two of which are serious with a further six posing a "low" or "moderate" risk to users, Microsoft said in security bulletin MS02-069.
One serious vulnerability could see a hacker exploit a "critical" flaw in a security feature of the VM to gain control over a user's system, while another "important" flaw could be exploited to trick the VM into giving an attacker read access to files on a user's PC and network drives.
Under Microsoft's security rating system, which was changed last month, critical vulnerabilities are those that could be exploited to allow malicious Internet worms to spread without user action. Important vulnerabilities are those that could expose user data or threaten system resources.
An attacker could exploit the VM flaws by luring a user to an especially coded Web page or sending that page via HTML (Hypertext Markup Language) e-mail, Microsoft said. The company urged users to upgrade to VM build 3809, which is available from the Windows Update Web site.
Users can check if and what version of Microsoft's VM is installed by opening a command box and entering "jview". VM is installed when a program runs. The version number appears in the topmost line.
Microsoft issued two other security bulletins this week, warning of issues with various Windows versions.
Deemed "important" is a privilege elevation vulnerability in Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000 and Windows XP.
A malicious user could gain administrative privileges on a system by exploiting the flaw, which lies in a Windows function, Microsoft said in security bulletin MS02-071.
Another Microsoft bulletin, MS02-070, details a "moderate" risk vulnerability in Windows 2000 and Windows XP without Service Pack 1 installed.
An attacker could change group policy data received by client systems by silently disabling the signing of Server Message Block (SMB) packets, Microsoft said.